What is file carving and its basic techniques?

File carving is the process of identifying and recovering files by scanning the raw bytesUnprocessed bytes or memory from the disk and reassembling them. Raw bytes are extracted because modern file systems tend to overwrite metadataData that provides information of the data for deleted files. Therefore, recovery of files without file system metadata requires file carving techniques to recover the data for many purposes, such as digital forensics.

File carving techniques

The following describes the file carving techniques to recover deleted data:

Header-footer carving

Many file types have standard headers and footers stored inside them. For example, a JPEGformat to reduce image file size start with a "Start of image" header and ends with an "End of image" footer. To recover data, analysts carve out everything between the JPEG header and footer to recover the image file.

The following illustrates how a JPEG image is carved using this technique:

All the data between the header address 0xAA0A7 and footer address 0xFF08 are extracted to represent a JPEG image file.

Note: Master file table stores all the information about every file and folder on the disk volume.

File structure carving

Certain file systems store files in fixed-sized data blocks. This technique uses internal file metadata if available and finds cluster sizeIt is the smallest amount of disk space that can be used to hold a file., and then reads the entire cluster and hunts for internal signature in addition to header and footer. Other internal signatures include identifier strings and size information and so on. PhotoRec software uses the file structure carving technique to recover data of such file types.

Content-based carving

This carving technique is used to recover file data that has not been recovered from file structure carving. It uses machine learning and statistic-based algorithms to look for statistical signatures indicating language or file content. It gathers and identifies all possible data clusters of an image that appear to be related, scans all these fragmentednot contigious pieces of memory, cleans them, and extracts the relevant data.